8 Using the Host Monitor Agent

When you deploy the Database Firewall in Monitoring (Host Monitor) mode, the Host Monitor Agent captures SQL traffic from the network interface card of the host machine that is running the target database and securely forwards it the Database Firewall.

8.1 About Host Monitoring

You can deploy Database Firewall in Monitoring (Host Monitor) mode.

Database Firewall monitors and analyzes the SQL traffic to the database. You can configure Database Firewall in the following deployment modes:

  • Monitoring / Blocking (Proxy)
  • Monitoring (Out-of-Band)
  • Monitoring (Host Monitor)

For descriptions of these deployment modes, see Introduction to Database Firewall Deployment.

The Monitoring (Host Monitor) deployment mode requires a Host Monitor Agent to be deployed on the host machine where the target database is running. You can configure the Host Monitor Agent to capture SQL traffic on ports that the database is listening on. The Host Monitor Agent can capture SQL traffic of multiple databases that are running on a single host machine, and it can capture SQL traffic when there are multiple network paths from clients to the target database.

After you deploy and configure the Host Monitor Agent on the agent machine, it performs the following actions:

  • Captures SQL traffic on ports that the database is listening on
  • Forwards the SQL traffic securely to Database Firewall

8.2 Installing and Enabling the Host Monitor Agent

Use this process to install and enable the Host Monitor Agent.

  1. Deploy the Host Monitor Agent on all the database servers where the database is running.
  2. Register the target.
  3. Create a Database Firewall monitoring point in Monitoring (Host Monitor) mode.
  4. Change the Database Firewall policy for the target from Default to the appropriate policy, if needed.

    See Types of Database Firewall Policies for the different policy types.

  5. Configure a NETWORK audit trail for the monitored target.

Note:

  • The Host Monitor Agent is supported on Linux, Solaris, AIX, and Windows platforms. It can monitor any database that is supported by the Database Firewall. See Table C-1 for supported databases.
  • The Host Monitor Agent supports the Solaris IPNET link type on Oracle Solaris SPARC64 and x86-64.
  • The Host Monitor Agent supports the Ethernet (EN10MB) link type for all supported platforms.
  • The Host Monitor Agent does not capture the SQL traffic from Oracle Database's Bequeath connections.

8.2.1 Host Monitor Agent Requirements

The Host Monitor Agent has different requirements for installation, depending on the platform.

To install the Host Monitor Agent on the Windows platform, follow these requirements:

  • Ensure that the Audit Vault Agent is running on the database server machine.
  • Follow the Npcap installation requirements for your Oracle Audit Vault and Database Firewall (Oracle AVDF) release.

    Host Monitoring on Windows requires Npcap for capturing network traffic.

    • For Oracle AVDF release 20.6 and later, Npcap is automatically installed along with the agent installation.

      Installing Npcap removes any existing installation of Npcap or WinPcap from the Windows host machine.

    • For Oracle AVDF release 20.5, Npcap is automatically downloaded along with the agent software (agent.jar) file.

      Use the Npcap installer file that is available under the Agent_Home\hm directory.

    • For Oracle AVDF release 20.4 and earlier, install Npcap from the avdf20-utility.zip bundle on Oracle Software Delivery Cloud. It is part of the Oracle AVDF installable files. Select the WinPcap-API-compatible option when installing Npcap.

  • Install the latest version of the OpenSSL (1.1.1g or higher) libraries.
  • Ensure that the Windows target machine has the latest update of the Visual C++ Redistributable for Visual Studio 2015 (MSVCRT.dll (*) or later) package from Microsoft installed.
  • If a network firewall is present, allow communication on port range 2050 - 5200.

    This is required for communication between the database server and the Database Firewall.

To install the Host Monitor Agent on a Linux, Unix, AIX, or Solaris platform, follow these requirements:

  • Ensure that the Audit Vault Agent is running on the database server machine.
  • Ensure that the latest version of the following packages from the operating system vendor are installed for the specific operating system version on the database server machine:

    • Libcap (for Linux hosts only)
    • LibPcap
    • OpenSSL
  • Ensure that gmake is installed for AIX database servers.

    For other Unix database server types (Linux, Unix, or Solaris), ensure that make is installed. This is required for the Host Monitor Agent to run successfully.

  • If a network firewall is present, allow communication on port range 2050 - 5200.

    This is required for communication between the database server and the Database Firewall.

  • Ensure that the input output completion ports (IOCP) setting is available for IBM AIX on Power Systems (64-bit).

    It's set to defined by default.
  • Ensure that all directories in the path of the Host Monitor Agent install location have 755 as the permission bits, starting from the root directory.

    This is required because the Host Monitor Agent has to be installed in a root-owned location.

  • Ensure that the Host Monitor Agent is installed by the root user.

See Also:

Enabling and Using Host Monitoring for host monitoring instructions and prerequisites.

8.2.2 Validation During Host Monitor Agent Deployment

Learn about validations performed by Oracle AVDF when deploying the Host Monitor Agent.

Starting Oracle AVDF release 20.6, the following validations performed on the Linux/Unix/AIX/Solaris platforms when deploying the Host Monitor Agent. These requirements are mandatory and have to be complied without which the Host Monitor Agent installation cannot be completed.

  • The Host Monitor Agent is being installed as root user.
  • If Host Monitor Agent process is already running on the host machine.
  • If the Input Output Completion Ports (IOCP) is set to available for IBM AIX on Power Systems (64-bit).
  • If gmake is installed for AIX database servers. For other Unix database server types (Linux/Unix/Solaris), check if make is installed.
  • If symlinks of libssl, libcrypto, libnsl libraries are present. In case of Linux checks for additional symlink libaio is performed.

Note:

If you run into any issues, see the following topics for more information:

8.2.3 Registering the Host Machine That Will Run the Host Monitor Agent

Learn how to register the host machine (such as a database server) on the Audit Vault Server.

To register a host on the Audit Vault Server, see Registering Hosts on the Audit Vault Server.

8.2.4 Deploying the Audit Vault Agent and Host Monitor Agent

Learn how to deploy the Audit Vault Agent and Host Monitor Agent on platforms like Linux, Solaris (x86-64), Solaris (Sparc64), AIX, and Windows.

8.2.4.1 Deploying the Host Monitor Agent on a Windows Host Machine

On Windows, the Host Monitor Agent is installed by the Audit Vault Agent. There are no separate Host Monitor Agent installable bundles available for download in the Audit Vault Server console. No separate action is required to install the Host Monitor Agent on Windows.

Follow these instructions before installing the Host Monitor Agent or updating from an older Oracle AVDF release.

8.2.4.1.1 Installing OpenSSL

The Host Monitor Agent uses OpenSSL to communicate with the Audit Vault Server and Database Firewall. OpenSSL 1.1.1g (or later) must be installed on the Windows host machine.

Note:

While installing OpenSSL on Windows machine, you are prompted to choose a location to copy the OpenSSL DLLs as an additional configuration step. It is recommended that you choose the Windows System Directory option, as this location is added to the Path environment variable on Windows machine by default. Else, if you choose the OpenSSL bin directory option, then ensure the location is added to the Path environment variable.

Follow these steps to change environment variables after installing OpenSSL:

  1. In the Windows host machine, navigate to Control Panel.
  2. Click System, and then click Advanced system settings.
  3. In the Advanced tab, click on Environment Variables button.
  4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
  5. Click Edit button. The Edit environment variable dialog is displayed.
  6. Add the location of the OpenSSL bin directory at the beginning of the Path variable.

  7. Click OK to save the changes, and then exit all the dialogs.
8.2.4.1.2 Installing Npcap

Host Monitoring on Windows requires Npcap for capturing network traffic.

8.2.4.1.2.1 Installing Npcap for a Fresh Installation of the Host Monitor Agent

Follow these steps to install Npcap for a fresh installation of the Host Monitor Agent.

Note:

For Oracle AVDF release 20.6 and later, Npcap is automatically installed along with the Agent installation. Installing Npcap removes any existing installation of Npcap or WinPcap from the Windows host machine. The following steps are not required for release 20.6 and later.
  1. Log in to Oracle Software Delivery Cloud.
  2. Note and follow Npcap manual installation details:

    • For Oracle AVDF release 20.5 and later, Npcap is automatically downloaded along with the Agent software (agent.jar) file. The Npcap installer file is available under Agent_Home\hm directory.

    • For Oracle AVDF release 20.4 and earlier, install Npcap that is available in the avdf20-utility.zip bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files. Ensure to install Npcap in WinPcap-API-compatible mode.

  3. Install Npcap. For Oracle AVDF releases 20.5 and earlier, complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode. Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.

8.2.4.1.2.2 Updating from Oracle AVDF 12.2 BP13, 12.2 BP14, or 20.1 - 20.4 to Oracle AVDF 20.5 or Later

Before updating from Oracle Audit Vault and Database Firewall (Oracle AVDF) 12.2 BP13, 12.2 BP14, or 20.1 - 20.4 to Oracle AVDF 20.5 or later, follow these steps to reinstall Npcap.

  1. Log in to Oracle Software Delivery Cloud.
  2. Reinstall the Npcap that is available in the avdf20-utility.zip bundle on the Oracle Software Delivery Cloud. It's part of the Oracle AVDF installable files.

    Be sure to reinstall Npcap in WinPcap-API-compatible mode. This removes any existing installations of Npcap or WinPcap from the Windows machine.

8.2.4.1.2.3 Updating from Oracle AVDF 12.2 BP9 or 12.2 BP10 to Oracle AVDF 20.1 or Later

Before updating from Oracle Audit Vault and Database Firewall (Oracle AVDF) 12.2 BP9 or 12.2 BP10 to Oracle AVDF 20.1 or later, follow these steps to reinstall Npcap.

Host Monitoring on Windows functionality requires Npcap. Follow these steps to continue using Host Monitor Agent on Windows from 12.2.0.9.0 or 12.2.0.10.0, before upgrading to Oracle Audit Vault and Database Firewall release 20:

  1. Stop the Audit Vault Agent running on the Windows host machine.
  2. Log in to 12.2 Audit Vault Server console as administrator.
  3. Verify the audit trails and the Audit Vault Agent are in STOPPED state.
  4. Log in to My Oracle Support, and download Npcap that is available with Oracle AVDF release 20 upgrade files.
  5. Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.

    Note:

    Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.
  6. Follow verification steps below to ensure Npcap installation is completed successfully.
  7. Restart the Audit Vault Agent on the Windows host machine.
  8. Start the network trails using the Audit Vault Server console.
  9. The Host Monitor Agent is now powered by Npcap during runtime. Verify the network trail collection.
  10. Proceed with the Audit Vault Server upgrade.

Note:

  • Ensure the audit trails and the Audit Vault Agent are in STOPPED state, before installing Npcap. Else, an error may be encountered.
  • Do not delete the DLL files as they are created newly by Npcap installation.
8.2.4.1.2.4 Verifying the Npcap Installation

After you install or upgrade Npcap, verify that the installation was successful.

  1. In addition to the Windows System directory, Npcap copies the DLL files to the Npcap sub-directory inside the Windows System directory. Do not remove the DLL files from the Windows System directory.

    Note:

    Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the Windows System directory which is already there in the system Path environment variable.
  2. Add the Npcap sub directory inside the Windows System directory to the Path environment variable, by following the steps below:

    1. Navigate to Control Panel.
    2. Click System, and then click Advanced system settings.
    3. In the Advanced tab, click on Environment Variables button.
    4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
    5. Click Edit button. The Edit environment variable dialog is displayed.
    6. Add the location of the Npcap DLL files at the beginning of the Path variable. For example: C:\Windows\System32\Npcap
    7. Click OK to save the changes, and then exit all the dialogs.
  3. Confirm the changes in the Path environment variable.
8.2.4.2 Deploying the Host Monitor Agent on a Unix Host Machine

Learn about deploying the Host Monitor Agent on Unix hosts.

  1. Before you install the Host Monitor Agent, ensure you have deployed the Audit Vault Agent.
  2. Log in as root and identify a root-owned directory on the local hard disk, such as /usr/local, where you will install the Host Monitor Agent.

    Note: The entire directory hierarchy must be root-owned. All the directories in this hierarchy must have read and execute permission for other users or groups, but not write permission.

  3. Log in to the Audit Vault Server console as an administrator.
  4. Click the Agents tab.
  5. In the left navigation menu:
  6. On the page listing the agent software, click the Download button corresponding to your Unix version, and then save the .zip file to the root-owned directory (on the local hard disk) you identified in Step 2, for example /usr/local.
  7. As root user, unzip the Host Monitor Agent file, agent-<platform>-hmon-one.zip (for example, agent-linux-x86-64-hmon-one.zip).

    This creates a directory named hm. This is your HM_Home directory, which in this example is /usr/local/hm.

  8. Ensure that the hostmonsetup file (in the hm directory) has the execute permission for the owner.
  9. Run the following command from the HM_Home directory:
    HM_Home/hostmonsetup install [agentuser=Agent_Username] [agentgroup=Agent_Group]
    
    • HM_Home - The directory created in Step 7.

    • Agent_Username - (Optional) Enter the user name of the user who installed the Audit Vault Agent (the user who executed the java -jar agent.jar command).

    • Agent_Group - (Optional) Enter the group to which the Agent_Username belongs.

8.2.5 Creating a Target for the Host-Monitored Database

Learn how to create a target for the host-monitored database.

8.2.6 Creating a Monitoring Point for the Host Monitor Agent

A monitoring point is a logical entity on the Database Firewall host that contains the configuration and rules for monitoring the SQL traffic that is received.

  1. Log in to the Audit Vault Server console as an administrator.
  2. Click the Targets tab.

    The Targets tab in the left navigation menu is selected by default.

  3. Select and click on a specific target from the list.
  4. From the Database Firewall Monitoring section on the main page, click on Add. The Database Firewall Monitor dialog is displayed.
  5. In the Basic tab (for 20.3 or later the name of the tab is Core), enter the name for the Database Firewall instance or select one from the list.
  6. Select Monitoring (Host Monitor) as the deployment type from the list. In this mode, the Database Firewall can only monitor the SQL traffic.
  7. Choose a Network Interface Card for the Database Firewall host from the list.

    Note:

    • For Oracle AVDF 20.2 and earlier, it is recommended to select a network interface card that is not used as a Management Interface. This segregates the traffic from Host Monitor Agent to the Database Firewall and the traffic from the Database Firewall to Audit Vault Server.
    • For Oracle AVDF release 20.3 and later, you must select a network interface card which has an IP address configured. All the network interface cards which have an IP address configured are displayed in the Network Interface Card list. It is recommended to select a network interface card that is not used as a Management Interface. This segregates the traffic from Host Monitor Agent to the Database Firewall and the traffic from the Database Firewall to Audit Vault Server.
  8. In the Connection Details section, select one or more targets for which the traffic needs to be monitored. You can Add the targets from the list.

    Note:

    For Oracle RAC, enter the IP address of the individual RAC node in the Target Connections field.

    Enter the following information for each available connection of the database. Click the Add button to add more targets and enter the following fields:

    • Host Name / IP Address
    • Port
    • Service Name (Optional, for Oracle Database only). SID can be used in this field. To enter multiple service names and/or SIDs, enter a new line for each of them, and then click Add. Multiple entries are allowed for monitoring only mode. To enforce different Database Firewall policies for different service names or SIDs on the same database, create a separate target and a monitoring point for each service name or SID.

    Note:

    Starting with Oracle AVDF release 20.7, for Linux hosts with multiple network devices, add a row for every network device from which the database traffic is expected to arrive.
  9. Click the Advanced tab, enter the number of Database Firewall Monitor Threads (minimum value is 1). This controls the number of traffic handling threads in the Database Firewall monitoring point. The default value is 1. This value can be increased when high transactions are reported (per second traffic) and packet dropped messages are reported in the /var/log/messages file. Contact Oracle Support while changing this number.
  10. Select the check box for Decrypt With Network Native Encryption Key field only for Oracle Database targets. This is for enabling decryption of traffic if the database is using Oracle Native encryption. Decrypt with network native encryption key option also supports retrieval of session information for Oracle Database. Complete the remaining fields as applicable.

    For Oracle standalone database targets, enter the IP address of the database listener in the IP Address field.

    For other database types (non Oracle) the field is Retrieve session information from target DB. Select this field to retrieve session information such as OS User Name, DB User Name, client application name, and IP address from the target database.

    Note:

    Ensure the Database Firewall is allowed to make a network connection to the above mentioned database.
  11. Click Save at the bottom of the dialog to save the configuration of the monitoring point.

    The new monitoring point appears in the list and starts automatically.

    Note:

    Default Database Firewall Policy will be applied for this Database Firewall Monitoring Point. This message is displayed at the bottom of the dialog.
  12. Click Save in the main page.
  13. To stop or restart the monitoring point, select it from the Database Firewall Monitoring section and click Stop or Start.

8.2.7 Creating a Network Audit Trail

Create an audit trail for each target that you monitor with a Host Monitor Agent.

Specify NETWORK for the audit trail type.

Note:

Ensure that the collection attribute network_device_name_for_hostmonitor is configured for the targets that are monitored by the Host Monitor Agent. The name of the network interface card is the attribute value. The network interface card receives all the network traffic of the target database.

8.3 Starting, Stopping, and Other Host Monitor Agent Operations

Learn about starting, stopping, and other Host Monitor Agent operations.

8.3.1 Starting the Host Monitor Agent

Starting the Host Monitor Agent involves starting collection for the NETWORK audit trail on the host that you're monitoring.

To start the Host Monitor Agent from the Audit Vault Server console:

  1. Log in to the Audit Vault Server console as an administrator.
  2. Start the audit trail(s) you created for host monitoring in Creating a Network Audit Trail.

8.3.2 Stopping the Host Monitor Agent

To stop the Host Monitor Agent, stop the audit trail that you created for the target that is being monitored.

8.3.3 Changing the Logging Level for a Host Monitor Agent

Learn about changing the logging level for Host Monitor Agents.

8.3.4 Viewing Host Monitor Agent Status and Details

You can view whether a Host Monitor Agent is installed and information like its location, version, update time, and other details.

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click the Agents tab.
  3. In the left navigation menu, select Agent Hosts.
  4. In the page that appears, check the Host Monitor Status and the Host Monitor Details columns for the host you are interested in.

8.3.5 Checking the Status of a Host Monitor Agent Audit Trail

Learn how to check the status of a Host Monitor Agent audit trail.

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click the Targets tab, and then from the left navigation menu, select Audit Trails.
  3. In the status page that appears, in the Audit Trail Type column, search for audit trails of type NETWORK to find audit trails for Host Monitor Agents.

8.3.6 Uninstalling a Host Monitor Agent (Unix Hosts Only)

This procedure applies to Unix hosts only. On Windows hosts, the Host Monitor Agent is installed as part of the Audit Vault Agent, so you don't need to uninstall the Host Monitor Agent. However after uninstalling the Audit Vault Agent from a Windows host, you should also uninstall Npcap.

  1. Log in to the host computer as root.
  2. From the HM_Home directory (where you installed the Host Monitor Agent in Step 7) run the following command:

    hostmonsetup uninstall

8.4 Updating a Host Monitor Agent (Unix Hosts Only)

When you update the Audit Vault Server to a new release, the Host Monitor Agent is automatically updated.

8.5 Using Mutual Authentication for Communication Between the Database Firewall and the Host Monitor Agent

By default, the Database Firewall allows the Host Monitor Agent connection based on one-way authentication. To provide mutual authentication, follow these steps after installing the Host Monitor Agent.

  1. Stop the network trail for the Host Monitor Agent.
  2. On the Database Firewall, log in as root and run the following commands:
    • For Oracle AVDF release 20.7 and later:

      cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt
      chown arbiter:arbiter /usr/local/dbfw/etc/fw_ca.crt
      chmod 400 /usr/local/dbfw/etc/fw_ca.crt
      /usr/local/dbfw/bin/dbfwctl restart
    • For Oracle AVDF release 20.6 and earlier:

      cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt
      chown dbfw:dbfw /usr/local/dbfw/etc/fw_ca.crt
      chmod 400 /usr/local/dbfw/etc/fw_ca.crt
      /usr/local/dbfw/bin/dbfwctl restart
  3. On the Audit Vault Server, log in as root and complete the following steps:

    1. Change to the /usr/local/dbfw/etc directory.
    2. Run the following commands:

      openssl genrsa -out hmprivkey.perm 2048
      openssl req -new -key hmprivkey.perm -out hmcsr.csr -subj "/CN=Hostmonitor_Cert_hostname/"

      The hostname is the name of the database server where the Host Monitor Agent is installed.

    3. Generate a signed certificate by running the following command:

       /usr/local/dbfw/bin/generate_casigned_hmcert.sh

      The signed certificate file, hmcert.crt, is generated in the /usr/local/dbfw/etc directory.

  4. Copy the following files from the Audit Vault Server to the HOSTMON_HOME directory on the database server where the Host Monitor Agent is installed:

    • /usr/local/dbfw/etc/hmcert.crt
    • /usr/local/dbfw/etc/hmprivkey.perm
  5. (Unix hosts only) As root, run the following commands:

    chown root:root Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
    chmod 400 Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
  6. (Windows hosts only) Ensure that the hmcert.crt and hmprivkey.perm have agent user ownership and appropriate permissions to prevent unwanted user access.
  7. Start the network trail to capture the network traffic.
  8. Repeat this procedure for every host running the Host Monitor Agent.